from the non-testimonial-act-of-producing-evidence-against-yourself dept

When it comes to the Fifth Amendment, you're better off with a password or PIN securing your device, rather than your fingerprint. Cellphone manufacturers introduced fingerprint readers in an effort to protect users from thieves or other unauthorized access. But it does nothing at all to prevent law enforcement from using their fingerprints to unlock seized devices.

The US Supreme Court hasn't seen a case involving compelled production of fingerprints land on its desk yet and there's very little in the way of federal court decisions to provide guidance. What we have to work with is scattered state court decisions and the implicit understanding that no matter how judges rule, a refusal to turn over a fingerprint or a password is little more than a way to add years to an eventual sentence.

The Minnesota Supreme Court has issued the final word on fingerprints and the Fifth Amendment for state residents. In upholding the appeals court ruling, the Supreme Court says a fingerprint isn't testimonial, even if it results in the production of evidence used against the defendant. (h/t FourthAmendment.com)

Although the Supreme Court’s distinction between the testimonial act of producing documents as evidence and the nontestimonial act of producing the body as evidence is helpful to our analysis, the act here—providing the police a fingerprint to unlock a cellphone—does not fit neatly into either category. Unlike the acts of standing in a lineup or providing a blood, voice, or handwriting sample, providing a fingerprint to unlock a cellphone both exhibits the body (the fingerprint) and produces documents (the contents of the cellphone). Providing a fingerprint gives the government access to the phone’s contents that it did not already have, and the act of unlocking the cellphone communicates some degree of possession, control, and authentication of the cellphone’s contents. See Hubbell, 530 U.S. at 36. But producing a fingerprint to unlock a phone, unlike the act of producing documents, is a display of the physical characteristics of the body, not of the mind, to the police. See Schmerber, 384 U.S. at 763.

Because we conclude that producing a fingerprint is more like exhibiting the body than producing documents, we hold that providing a fingerprint to unlock a cellphone is not a testimonial communication under the Fifth Amendment.

The ruling notes the defendant did try to holdout on this, sticking to his Fifth Amendment arguments. But when the trial court gives you only unpalatable options, defendants tend to give prosecutors what they want.

The district court concluded that compelling Diamond’s fingerprint would not violate his Fifth Amendment privilege because “[c]ompelling the production of [Diamond’s] fingerprint or thumbprint would not call upon the use of [his] mind. It is more akin to providing a key to a lockbox.” Accordingly, it ordered Diamond to “provide a fingerprint or thumbprint as deemed necessary by the Chaska Police Department to unlock his seized cell phone.”

Diamond continued to object to providing the necessary fingerprint for unlocking the phone. Nevertheless, he finally unlocked the cellphone with his fingerprint in court after being held in civil contempt and warned of the possibility and consequences of criminal contempt.

This is an aspect never discussed by the FBI and others engaged in the war on encryption. Many, many people can be motivated to unlock devices when faced with the prospect of indefinite imprisonment on contempt charges. It's something that should work in all but the most extreme criminal cases where the potential imprisonment might be as close to indefinite as humanly possible.

[court]LAWYER: Did u kill him?ME: NoL: You know what the punishment is for committing perjury?ME [lips on the mic] Much less than murder

from the might-as-well-take-your-time,-as-it's-actually-someone-else's dept

We wrote about this case last April, and it appears very little has changed over the last 10 months. Francis Rawls, a former Philadelphia policeman, is still in jail because he has refused to decrypt his computer for prosecutors. At this point, Rawls has been jailed for sixteen months on contempt of court charges.

The federal court system appears to be in no hurry to resolve an unresolved legal issue: does the Fifth Amendment protect the public from being forced to decrypt their digital belongings? Until this is answered, Rawls is likely to continue to languish behind bars. A federal appeals court heard oral arguments about Rawls' plight last September. So far, there's been no response from the US 3rd Circuit Court of Appeals, based in Philadelphia.

If Rawls' devices had been secured with a fingerprint, there's a good chance he'd already have been forced to unlock his devices. There haven't been a lot of decisions pertaining to the use of fingerprints to decrypt devices, but those we have seen indicate judges don't view the taking/application of suspects' fingerprints to be "testimonial." Unlocking a device that contains evidence to convict a person apparently doesn't undermine their right to not be forced to testify against themselves. The reasoning in a recent appeals court decision was that a fingerprint is not something stored in a suspect's mind. Therefore, it's not testimony. It's, for lack of better words, a bodily "fact," like the blood stored in a suspect or a suspect's resemblance to a person described by eyewitnesses.

Because Rawls is facing child pornography charges, there hasn't been much public support for his legal battle. The problem with ignoring this one and waiting for a "better" case to roll around is that the weakening (or rewriting) of Constitutional protections almost always starts with the worst cases. Once precedent and/or legislation is in place, the diminished protections affect everyone -- even those whose alleged actions are far less socially-abhorrent as the accused in this case.

The EFF, however, has stepped into the breach -- as it has in other cases where child porn suspects are central to battles over Constitutional rights.

The Electronic Frontier Foundation told the court in a friend-of-the-court brief (PDF) that "compelled decryption is inherently testimonial because it compels a suspect to use the contents of their mind to translate unintelligible evidence into a form that can be used against them. The Fifth Amendment provides an absolute privilege against such self-incriminating compelled decryption."

The other aspect of this case that bears watching is the All Writs Order the government has deployed to obtain this fingerprint. The All Writs Act of 1789 is seeing an uptick in deployment 200+ years after its passage. The government uses this any time it can't find statutory authority for its demands. It's a feature of the Act, not a bug, and its increased use suggests several other laws are badly in need of updating -- and not just in the government's favor. There are at least as many gaps in protections as there are gaps in authority in the laws governing digital data and communications, many of which were written long before the internet became the main means of public communication and storage capacity/prices allowed any person to store several lifetimes of information on devices small enough to stick in their pockets.

from the giving-The-Man-the-finger-no-longer-subversive;-actually-helpful dept

As was hinted heavily three years ago, you might be better off securing your phone with a passcode than your fingerprint. While a fingerprint is definitely unique and (theoretically...) a better way to keep thieves and snoopers from breaking into your phone, it's not much help when it comes to your Fifth Amendment protections against self-incrimination.

The Minnesota Appeals Court has ruled [PDF] that unlocking a phone with a fingerprint is no more "testimonial" than a blood draw, police lineup appearance, or even matching the description of a suspected criminal. (h/t Orin Kerr)

Diamond relies on In re Grand Jury Subpoena Duces Tecum, 670 F.3d 1335 (11th Cir. 2012), to support his argument that supplying his fingerprint was testimonial. In In re Grand Jury, the court reasoned that requiring the defendant to decrypt and produce the contents of a computer’s hard drive, when it was unknown whether any documents were even on the encrypted drive, “would be tantamount to testimony by [the defendant] of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.” Id. at 1346. The court concluded that such a requirement is analogous to requiring production of a combination and that such a production involves implied factual statements that could potentially incriminate. Id.

By being ordered to produce his fingerprint, however, Diamond was not required to disclose any knowledge he might have or to speak his guilt. See Doe, 487 U.S. at 211, 108 S. Ct. at 2348. The district court’s order is therefore distinguishable from requiring a defendant to decrypt a hard drive or produce a combination. See, e.g., In re Grand Jury, 670 F.3d at 1346; United States v. Kirschner, 823 F. Supp. 2d 665, 669 (E.D. Mich. 2010) (holding that requiring a defendant to provide computer password violates the Fifth Amendment). Those requirements involve a level of knowledge and mental capacity that is not present in ordering Diamond to place his fingerprint on his cellphone. Instead, the task that Diamond was compelled to perform—to provide his fingerprint—is no more testimonial than furnishing a blood sample, providing handwriting or voice exemplars, standing in a lineup, or wearing particular clothing.

Of course, it's what's contained in the now-unlocked device that might be incriminating, which is why Diamond pointed to In re Grand Jury as being analogous to the forced provision of a fingerprint. The court's rebuttal of this argument, however, doesn't make a lot of sense. It says the process that unlocked the device requires no knowledge or mental capacity -- which is certainly true -- but that the end result, despite being the same (the production of evidence against themselves) is somehow different because of the part of the body used to obtain access (finger v. brain).

In recounting the obtaining of the print, the court shows that some knowledge is imparted by this effort -- information not possessed by law enforcement or prosecutors.

Diamond also argues that he “was required to identify for the police which of his fingerprints would open the phone” and that this requirement compelled a testimonial communication. This argument, however, mischaracterizes the district court’s order. The district court’s February 11 order compelled Diamond to “provide a fingerprint or thumbprint as deemed necessary by the Chaska Police Department to unlock his seized cell phone.” At the April 3 contempt hearing, the district court referred to Diamond providing his “thumbprint.” The prosecutor noted that they were “not sure if it’s an index finger or a thumb.” The district court answered, “Take whatever samples you need.” Diamond then asked the detectives which finger they wanted, and they answered, “The one that unlocks it.”

This is something only Diamond would know, and by unlocking the phone, he would be demonstrating some form of control of the device as well as responsibility for its contents. So, it is still a testimonial act, even if it doesn't rise to the mental level of retaining a password or combination. (And, if so, would four-digit passcodes be less "testimonial" than a nine-digit alphanumeric password, if the bright line comes down to mental effort?)

Given the reasoning of the court, it almost appears as though Diamond may have succeeded in this constitutional challenge if he had chosen to do so at the point he was ordered to produce the correct finger.

It is clear that the district court permitted the state to take samples of all of Diamond’s fingerprints and thumbprints. The district court did not ask Diamond whether his prints would unlock the cellphone or which print would unlock it, nor did the district court compel Diamond to disclose that information. There is no indication that Diamond would have been asked to do more had none of his fingerprints unlocked the cellphone. Diamond himself asked which finger the detectives wanted when he was ready to comply with the order, and the detectives answered his question. Diamond did not object then, nor did he bring an additional motion to suppress the evidence based on the exchange that he initiated.

And so, in first decision of its kind for this Appeals Court, the precedent established is that fingerprints are less protective of defendants' Fifth Amendment rights than passwords.

A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives.

The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes. Instead, he remains indefinitely imprisoned in Philadelphia's Federal Detention Center for refusing to unlock two drives encrypted with Apple's FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices. The man is to remain jailed "until such time that he fully complies" with the decryption order.

The Fifth Amendment should prevent the government from punishing a person for not testifying against themselves, which is what's being argued by the defendant's representation in its appeal to the Third Circuit. (Although it's actually indirect representation. The government's case is actually against Doe's devices ["United States of America v. Apple MacPro Computer, et al"] and his lawyer is hoping for a stay of the contempt order during the appeal process.)

Mr. Doe… has a strong likelihood of success on the second issue: whether compelling the target of a criminal investigation to recall and divulge an encryption passcode transgresses the Fifth Amendment privilege against self-incrimination. Supreme Court precedent already instructs that a suspect may not be compelled to disclose the sequence of numbers that will open a combination lock — clearly auguring the same rule for any compelled disclosure of the sequence of characters constituting an encryption passcode.

Doe's rep also argues that the All Writs order obtained by the government has no jurisdiction over Doe or his devices.

Mr. Doe’s first claim is that the district court lacked subject matter jurisdiction. The claim stems from the government’s apparently unprecedented use of an unusual procedural vehicle to attempt to compel a suspect to give evidence in advance of potential criminal charges. Specifically, the government took resort not to a grand jury, but to a magistrate judge pursuant to the All Writs Act, 28 U.S.C. § 1651. (Ex. F at 1).

It is black letter law that the All Writs Act never supplies “any federal subject-matter jurisdiction in its own right[.]” Sygenta Crop Protection, Inc. v. Henson, 537 U.S. 28, 31 (2002) (citation omitted). It is equally well-settled that the Act has no application where other provisions of law specifically address the subject matter concerned. Pennsylvania Bureau of Correction v. United States Marshals Service, 474 U.S. 34, 40-42 (1985). The compelled production of evidence in advance of criminal charges is specifically addressed by Rules 6 and 17 of the Federal Rules of Criminal Procedure, which authorize the issuance and enforcement of grand jury subpoenas; and by 28 U.S.C. § 1826(a), which specifies the authorized penalties for a witness who refuses without good cause to give the evidence demanded by the grand jury.

As it stands now, Doe is still being held in contempt of court for refusing to decrypt his devices for investigators. The district court that held him in contempt has refused direct appeal of that order, resulting in the labyrinthine legal strategy of using the government's case against Doe's devices as a vehicle for challenging the lower court's contempt order.

Doe has not been charged, yet he's in prison. Backing up the government's assertions for holding him in contempt are two dubious pieces of hearsay. One is from his estranged sister, who claims to have seen child porn on Doe's computer, but can't actually say whether it was located on the devices the government is seeking to have decrypted. The other is from some sort of law enforcement encryption whisperer, who can apparently see things in the scrambled bits.

The government’s second witness was Detective Christopher Tankelewicz, a forensic examiner with the Delaware County District Attorney’s Office. He testified only that it was his “best guess” child pornography would be found on the hard drives. (Ex. J at 346). According to Tankelewicz’s understanding of the Freenet online network (in which he admits having no training), there were signs on an Apple Mac Pro computer seized with the hard drives of a user accessing or trying to access message boards with names suggestive of child pornography. (Ex. J at 306, 311-312, 339-340). In rather ambiguous testimony, Tankelewicz did not appear to say this meant any image traded over these boards was on the hard drives. (See Ex. J at 303-317, 336-340, 345-350). Instead, he identified a single image he believed there to be a “possibility” was on the drives. (Ex. J at 308-309). As he described it, the image was of “a four or five-year-old girl with her dress lifted up, but the image itself was small so you really couldn’t see what was going on with the image.” (Ex. J at 308).

No one wants to see a sex offender walk away from charges, but at this point, Doe hasn't even been officially charged with anything more than contempt. The problem with that charge is it has no end date. He can either stay in jail or comply with the order, even when the order conjures jurisdiction out of nowhere and violates his Fifth Amendment rights. If the government doesn't have enough evidence to pursue a case against Doe, it should cut him loose until it does.

The order finding Francis Rawls guilty of contempt contains a footnote pointing to the government's use of an All Writs order to force Rawls to unlock his devices -- and, one would think -- allow the government to dodge a Fifth Amendment rights violation.

On July 29, 2015, the Government obtained a search warrant for certain electronic media previously seized by Delaware County and Philadelphia County law enforcement officials. Dkt. No. 1. On August 3, 2015, the Government made an application pursuant to that All Writs Act to require Francis Rawls to assist in the execution of a previously executed search warrant.

"Assist in the execution" means forcing Rawls to possibly provide evidence against himself, depending on what's contained in the devices. However, the court didn't see it this way. It considered his unlocking of the devices to be "non-testimonial." While it did grant him a chance to respond to the All Writs application, it ultimately found in favor of the government.

Importantly, the August 27th Order rejected Rawls contention that providing any assistance to the Government would violate his Fifth Amendment privilege against self-incrimination.

More on the court's reasoning can be found in the order granting the government's All Writs application -- again relegated to a footnote.

By way of a "Motion to Quash Government's Application to Compel" filed August 26, 2015, Mr. Rawls objects to providing assistance to the government in the execution of the search warrant because his act of decrypting the electronic devices seized by the government would be considered testimonial and, therefore, violate his Fifth Amendment privilege against self-incrimination. However, federal courts have recognized the "foregone conclusion" doctrine. The courts hold that the act of production of encryption codes is not testimony - even if this production conveys a fact regarding the possession or authenticity of the images contained in the electronic devices - if the government can show with "reasonable particularity" that, at the time it sought to compel the assistance of Mr. Rawls, it already knew of the materials, thereby making any testimonial aspect a "foregone conclusion."

[...]

Here, the Affidavit of Special Agent David Bottalico, supporting the application for a Search Warrant, establishes that (1) the Government has custody of the electronic devices; (2) prior to the Government's seizure, Mr. Rawls possessed, accessed and owned all the electronic devices; and (3) there are images on the electronic devices that constitute child pornography. Therefore, under the "foregone conclusion" doctrine, requiring Mr. Rawls to assist in the decrypting of those devices does not violate his privilege against self-incrimination.

According to this reasoning, the government already "knows" what's contained on the devices, so there's nothing incriminating about Rawls unlocking them for it. But why would that require the use of an All Writs order? It would seem if the evidence is a "foregone conclusion," then there's no need for the devices to be unlocked at all. The government should have all the evidence it needs to continue with its prosecution.

The All Writs Act is in place to work around limitations in law -- for situations where current laws don't completely apply. Lately, it seems to used most often to advance ahead of Congress and exploit areas where technology has outpaced legislation. In this case, the Act is being used to create a loophole in the Fifth Amendment -- seemingly for no other reason than to allow the government to bolster its case. While that is the point of seeking evidence, it would appear the government already has evidence of criminal activity and is using All Writs to do what it can't do directly without jeopardizing its prosecution: force Rawls to unlock his devices.

The case citations are also illuminating. Apparently all the government needs to acquire an All Writs order compelling decryption is the knowledge that a.) said device exists and b.) the government knows where it is located.

[U]nited States v. Sabit, 2014 WL 1317082, at *2 (E.D. Mich. April 1, 2014) ("[W]hen a witness produces a document that the government knows exists, the act of production is tantamount to a "surrender" and is not "testimonial.")

[...]

United States v. Fricosu, 841F.Supp.2d1232, 1236 (D. Colo. 2012) (defendant's Fifth Amendment privilege against self-incrimination was not implicated by requiring her to produce the unencrypted contents of a computer, when the government knew of the existence and location of the computer's files); In re Boucher, 2009 WL 424718, at *3 (D. Vt. Feb. 19, 2009) (requiring defendant to produce an unencrypted version of his laptop's Z drive did not constitute compelled testimonial communication when the government previously knew the location of the Z drive and its files).

Brad Heath notes that this a "more common" use for All Writs requests. There does appear to be some history here. Notably, a similar effort made during a prosecution over similar subject matter was denied by a magistrate judge in Wisconsin. While the judge in the 2015 case found the unlocking of devices to be "non-testimonial" and a foregone conclusion, Judge William E. Callahan Jr. found it to be "compelled incrimination" -- a violation of the defendant's Fifth Amendment rights.

This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with “reasonably particularity”—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination.

The only difference between the two cases is the strength of the government's assertions as to the defendant's "personal access and control" of the devices in question. Because much of the docket is sealed in the 2015 case involving Rawls, we can't see firsthand what evidence the government provided that makes this case stronger than the 2013 case where its All Writs request was denied. (We do have access to Rawls' lawyer's arguments to the contrary.) The footnote contained in the contempt order only points to an affidavit by an FBI agent stating that devices were in Rawls' possession and he owned them -- right up until they were seized.

So, it appears the Fifth Amendment only goes so far in the US judicial system. But if it's that limited, it would seem an All Writs order is extraneous. If there's nothing protecting defendants from incriminating themselves when compelled by an All Writs order, then there's nothing stopping the FBI from "sweating down" defendants until they comply. As interpreted in this case, the only difference between an All Writs order and several hours of nonstop interrogation is FBI man-hours.

Rawls' case made be headed for the Appeals Court, but he'll be spending that intervening time in jail. His motion to stay the contempt order pending appeal was also denied.

from the and-off-we-go dept

Apple didn't need to reply until tomorrow, but has now released its Motion to Vacate the magistrate judge's order from last week, compelling Apple to create a new operating system that undermines a couple of key security features, so that the FBI could then brute force the passcode on Syed Farook's work iPhone. It's clearly a bit of a rush job as there are a few typos (and things like incorrect page numbers in the table of contents). However, it's not too surprising to see the crux of Apple's argument. In summary it's:

The 1789 All Writs Act doesn't apply at all to this situation for a whole long list of reasons that most of this filing will explain.

Even if it does, the order is an unconstitutional violation of the First Amendment (freedom of expression) and the Fifth Amendment (due process).

I really do recommend reading the 65 page filing (it goes fast!). But on the assumption that you have more of a life than we do, let's dig in and detail what Apple's argument is. The brief is quite well written (other than the typos) in making the issues pretty clear:

This is not a case about one isolated iPhone. Rather, this case is about the
Department of Justice and the FBI seeking through the courts a dangerous power that
Congress and the American people have withheld: the ability to force companies like
Apple to undermine the basic security and privacy interests of hundreds of millions of
individuals around the globe. The government demands that Apple create a back door
to defeat the encryption on the iPhone, making its users’ most confidential and
personal information vulnerable to hackers, identity thieves, hostile foreign agents, and
unwarranted government surveillance. The All Writs Act, first enacted in 1789 and on
which the government bases its entire case, “does not give the district court a roving
commission” to conscript and commandeer Apple in this manner. Plum Creek Lumber
Co. v. Hutton, 608 F.2d 1283, 1289 (9th Cir. 1979). In fact, no court has ever
authorized what the government now seeks, no law supports such unlimited and
sweeping use of the judicial process, and the Constitution forbids it.

The motion also notes the importance of strong encryption in keeping people safe and secure:

Since the dawn of the computer age, there have been malicious people dedicated
to breaching security and stealing stored personal information. Indeed, the government
itself falls victim to hackers, cyber-criminals, and foreign agents on a regular basis,
most famously when foreign hackers breached Office of Personnel Management
databases and gained access to personnel records, affecting over 22 million current and
former federal workers and family members. In the face of this daily siege, Apple is
dedicated to enhancing the security of its devices, so that when customers use an
iPhone, they can feel confident that their most private personal information—financial
records and credit card information, health information, location data, calendars,
personal and political beliefs, family photographs, information about their children—will be safe and secure. To this end, Apple uses encryption to protect its customers
from cyber-attack and works hard to improve security with every software release
because the threats are becoming more frequent and sophisticated. Beginning with
iOS 8, Apple added additional security features that incorporate the passcode into the
encryption system. It is these protections that the government now seeks to roll back
by judicial decree.

And the filing makes it clear that the government is lying in claiming that this is all just about this phone:

The government says: “Just this once” and “Just this phone.” But the
government knows those statements are not true; indeed the government has filed
multiple other applications for similar orders, some of which are pending in other
courts.2 And as news of this Court’s order broke last week, state and local officials
publicly declared their intent to use the proposed operating system to open hundreds of
other seized devices—in cases having nothing to do with terrorism. If this order is
permitted to stand, it will only be a matter of days before some other prosecutor, in
some other important case, before some other judge, seeks a similar order using this
case as precedent. Once the floodgates open, they cannot be closed, and the device
security that Apple has worked so tirelessly to achieve will be unwound without so
much as a congressional vote. As Tim Cook, Apple’s CEO, recently noted: “Once
created, the technique could be used over and over again, on any number of devices.
In the physical world, it would be the equivalent of a master key, capable of opening
hundreds of millions of locks—from restaurants and banks to stores and homes. No
reasonable person would find that acceptable.”

There's a footnote in the middle of that which points to Manhattan DA Cyrus Vance already talking about why he supports the FBI, and how he has 155 to 160 phones that he wants to force Apple to help unlock.

Apple also details how accepting the government's interpretation of the All Writs Act here could easily extend in absolutely crazy ways:

Finally, given the government’s boundless interpretation of the All Writs Act, it
is hard to conceive of any limits on the orders the government could obtain in the
future. For example, if Apple can be forced to write code in this case to bypass
security features and create new accessibility, what is to stop the government from
demanding that Apple write code to turn on the microphone in aid of government
surveillance, activate the video camera, surreptitiously record conversations, or turn on
location services to track the phone’s user? Nothing.

Unfortunately, the FBI, without consulting Apple or reviewing its public
guidance regarding iOS, changed the iCloud password associated with one of the
attacker’s accounts, foreclosing the possibility of the phone initiating an automatic
iCloud back-up of its data to a known Wi-Fi network... which could have obviated the need
to unlock the phone and thus for the extraordinary order the government now seeks.21
Had the FBI consulted Apple first, this litigation may not have been necessary.

Apple's filing also does a good job debunking the DOJ's ridiculous "this is no burden, because it's just software and Apple writes software" argument:

The compromised operating system that the government demands would require
significant resources and effort to develop. Although it is difficult to estimate, because
it has never been done before, the design, creation, validation, and deployment of the
software likely would necessitate six to ten Apple engineers and employees dedicating
a very substantial portion of their time for a minimum of two weeks, and likely as
many as four weeks.... Members of the team would
include engineers from Apple’s core operating system group, a quality assurance
engineer, a project manager, and either a document writer or a tool writer....
No operating system currently exists that can accomplish what the government
wants, and any effort to create one will require that Apple write new code, not just
disable existing code functionality.... Rather, Apple will need to design and
implement untested functionality in order to allow the capability to enter passcodes
into the device electronically in the manner that the government describes.... In
addition, Apple would need to either develop and prepare detailed documentation for
the above protocol to enable the FBI to build a brute-force tool that is able to interface
with the device to input passcode attempts, or design, develop and prepare
documentation for such a tool itself.... Further, if the tool is utilized remotely
(rather than at a secure Apple facility), Apple will also have to develop procedures to
encrypt, validate, and input into the device communications from the FBI.... This
entire development process would need to be logged and recorded in case Apple’s
methodology is ever questioned, for example in court by a defense lawyer for anyone
charged in relation to the crime....

Once created, the operating system would need to go through Apple’s quality
assurance and security testing process.... Apple’s software ecosystem is
incredibly complicated, and changing one feature of an operating system often has
ancillary or unanticipated consequences.... Thus, quality assurance and
security testing would require that the new operating system be tested on multiple devices and validated before being deployed.... Apple would have to undertake
additional testing efforts to confirm and validate that running this newly developed
operating system to bypass the device’s security features will not inadvertently destroy
or alter any user data.... To the extent problems are identified (which is almost
always the case), solutions would need to be developed and re-coded, and testing
would begin anew.... As with the development process, the entire quality
assurance and security testing process would need to be logged, recorded, and
preserved.... Once the new custom operating system is created and validated, it
would need to be deployed on to the subject device, which would need to be done at an
Apple facility.... And if the new operating system has to be destroyed and
recreated each time a new order is issued, the burden will multiply.

From there we dig into the meat of the filing: that the All Writs Act doesn't apply.

The All Writs Act (or the “Act”) does not provide the judiciary with the
boundless and unbridled power the government asks this Court to exercise. The Act is
intended to enable the federal courts to fill in gaps in the law so they can exercise the
authority they already possess by virtue of the express powers granted to them by the
Constitution and Congress; it does not grant the courts free-wheeling authority to
change the substantive law, resolve policy disputes, or exercise new powers that
Congress has not afforded them. Accordingly, the Ninth Circuit has squarely rejected
the notion that “the district court has such wide-ranging inherent powers that it can
impose a duty on a private party when Congress has failed to impose one. To so rule
would be to usurp the legislative function and to improperly extend the limited federal
court jurisdiction.”

Congress has never authorized judges to compel innocent third parties to
provide decryption services to the FBI. Indeed, Congress has expressly withheld that
authority in other contexts, and this issue is currently the subject of a raging national
policy debate among members of Congress, the President, the FBI Director, and state
and local prosecutors. Moreover, federal courts themselves have never recognized an
inherent authority to order non-parties to become de facto government agents in
ongoing criminal investigations. Because the Order is not grounded in any duly
enacted rule or statute, and goes well beyond the very limited powers afforded by
Article III of the Constitution and the All Writs Act, it must be vacated.

In short, Apple is leaning heavily on the idea that CALEA pre-empts the All Writs Act here, and that CALEA explicitly says that companies can't be forced into helping to decrypt encrypted content. Beyond that, Apple is claiming that it's "too far removed" from the case for the All Writs Act to apply and mocks the idea (put forth by the DOJ) that because Apple licenses its software instead of selling it, that makes it okay:

Apple is no more connected to this phone than General Motors is to a
company car used by a fraudster on his daily commute. Moreover, that Apple’s
software is “licensed, not sold,”..., is “a total red herring,” as Judge
Orenstein already concluded.... A licensing
agreement no more connects Apple to the underlying events than a sale. The license
does not permit Apple to invade or control the private data of its customers. It merely
limits customers’ use and redistribution of Apple’s software. Indeed, the government’s
position has no limits and, if accepted, would eviscerate the “remoteness” factor
entirely, as any company that offers products or services to consumers could be
conscripted to assist with an investigation, no matter how attenuated their connection
to the criminal activity. This is not, and never has been, the law.

From there, Apple attacks the argument that there is no undue burden on Apple if it's forced to build this system, which Apple calls GovtOS. It starts out by noting that the idea that Apple can just create the software for this one phone and delete it appears nonsensical when put in context:

Moreover, the government’s flawed suggestion to delete the program and erase
every trace of the activity would not lessen the burden, it would actually increase it
since there are hundreds of demands to create and utilize the software waiting in the
wings..... If Apple creates new software to open a back door, other federal
and state prosecutors—and other governments and agencies—will repeatedly seek
orders compelling Apple to use the software to open the back door for tens of
thousands of iPhones. Indeed, Manhattan District Attorney Cyrus Vance, Jr., has made
clear that the federal and state governments want access to every phone in a criminal
investigation.... [Charlie Rose, Television Interview of Cyrus Vance (Feb. 18, 2016)]
(Vance stating “absolutely” that he “want[s] access to all those phones that [he thinks]
are crucial in a criminal proceeding”). This enormously intrusive burden—building
everything up and tearing it down for each demand by law enforcement—lacks any
support in the cases relied on by the government, nor do such cases exist.

The alternative—keeping and maintaining the compromised operating system
and everything related to it—imposes a different but no less significant burden, i.e.,
forcing Apple to take on the task of unfailingly securing against disclosure or
misappropriation the development and testing environments, equipment, codebase,
documentation, and any other materials relating to the compromised operating system.... Given the millions of iPhones in use and the value of the data on them,
criminals, terrorists, and hackers will no doubt view the code as a major prize and can
be expected to go to considerable lengths to steal it, risking the security, safety, and
privacy of customers whose lives are chronicled on their phones. Indeed, as the
Supreme Court has recognized, “[t]he term ‘cell phone’ is itself misleading shorthand;
. . . these devices are in fact minicomputers” that “could just as easily be called
cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums,
televisions, maps, or newspapers.”...By forcing Apple to write code to compromise its encryption defenses, the
Order would impose substantial burdens not just on Apple, but on the public at large.
And in the meantime, nimble and technologically savvy criminals will continue to use
other encryption technologies, while the law-abiding public endures these threats to
their security and personal liberties—an especially perverse form of unilateral
disarmament in the war on terror and crime.

That last point is key. Criminals will still use other forms of encryption, while forcing Apple to do this harms everyone else by putting them more at risk.

Here Apple goes even deeper in questioning what are the limits to the All Writs Act:

For example, under the
same legal theories advocated by the government here, the government could argue
that it should be permitted to force citizens to do all manner of things “necessary” to
assist it in enforcing the laws, like compelling a pharmaceutical company against its
will to produce drugs needed to carry out a lethal injection in furtherance of a lawfully
issued death warrant, or requiring a journalist to plant a false story in order to help
lure out a fugitive, or forcing a software company to insert malicious code in its autoupdate
process that makes it easier for the government to conduct court-ordered
surveillance.

Next, Apple calls bullshit on the DOJ's claim that it absolutely needs Apple's help here. First, the FBI messed things up with the whole resetting iCloud password thing, and then what about the NSA? Why can't the NSA just hack in? That's what the following is saying in a more legalistic way:

... the government has failed to demonstrate that the requested
order was absolutely necessary to effectuate the search warrant, including that it
exhausted all other avenues for recovering information. Indeed, the FBI foreclosed
one such avenue when, without consulting Apple or reviewing its public guidance
regarding iOS, the government changed the iCloud password associated with an
attacker’s account, thereby preventing the phone from initiating an automatic iCloud back-up.... Moreover, the government has not made any showing that it
sought or received technical assistance from other federal agencies with expertise in
digital forensics, which assistance might obviate the need to conscript Apple to create
the back door it now seeks. See... (Judge Orenstein asking the government “to make a representation for
purposes of the All Writs Act” as to whether the “entire Government,” including the
“intelligence community,” did or did not have the capability to decrypt an iPhone, and
the government responding that “federal prosecutors don’t have an obligation to
consult the intelligence community in order to investigate crime”).

From there, we move onto the Constitutional arguments, which the court might not even address if it decides the All Writs Act doesn't apply. But, here, Apple starts with the First Amendment concerns of "compelled" speech.

Under well-settled law, computer code is treated as speech within the meaning
of the First Amendment.... The Supreme Court has made clear that where, as here, the government seeks to
compel speech, such action triggers First Amendment protections..... Compelled speech is a content-based restriction subject to exacting
scrutiny... and so may only be upheld if it is narrowly tailored to obtain a compelling state interest....

The government cannot meet this standard here. Apple does not question the
government’s legitimate and worthy interest in investigating and prosecuting terrorists,
but here the government has produced nothing more than speculation that this iPhone
might contain potentially relevant information... It is well known that terrorists and other criminals use highly sophisticated
encryption techniques and readily available software applications, making it likely that
any information on the phone lies behind several other layers of non-Apple encryption....

This argument feels a bit weakly supported. Then there's the Fifth Amendment argument, concerning due process:

In addition to violating the First Amendment, the government’s requested order,
by conscripting a private party with an extraordinarily attenuated connection to the
crime to do the government’s bidding in a way that is statutorily unauthorized, highly
burdensome, and contrary to the party’s core principles, violates Apple’s substantive
due process right to be free from “‘arbitrary deprivation of [its] liberty by
government.’”

Again, this feels a bit weakly developed, but not surprisingly so. Apple is betting heavily that its main argument, concerning the All Writs Act not applying, will win the day (which seems to have a strong likelihood of being true). The Constitutional arguments are just being thrown in there so that they're in the case at this stage, and can then be raised on appeal, should it get to that level.

I imagine the DOJ will respond to this before long as well, so stay tuned (we certainly will).

from the blueprint-for-fifth-amendment-evasion-currently-in-progress dept

A recent opinion issued in a prosecution by the Securities and Exchange Commission seems to indicate the government can't force members of the public to hand over passwords without violating the Fifth Amendment. But the details suggest something else: that this is limited to a very specific set of circumstances and is not in any way precedential, at least not at this point.

The courts have previously weighed in on the legality of forcing people to basically provide incriminating evidence against themselves through the compelled relinquishment of passwords. Back in 2013, a magistrate judge rejected an order compelling a defendant to decrypt a seized hard drive by providing the government with his password. A year later, the Massachusetts Supreme Court came to the opposite conclusion: that the compelled production of passwords did not have Fifth Amendment implications.

The DOJ has argued that it doeshave the right to demand passwords to unlock seized items and actually found a judge that agreed with it. In that case, the court found that unlocking a device was no different than producing documents at the government's request -- distancing it from the "compelled speech" against a person's own interests that the Fifth Amendment is supposed to guard against.

The Securities and Exchange Commission (SEC) is investigating Bonan and Nan Huang for insider trading. The two worked at the credit card company Capital One as data analysts. According to the complaint, the two allegedly used their jobs as data analysts to figure out sales trends at major U.S. companies and to trade stocks in those companies ahead of announced company earnings. According to the SEC, they turned a $150,000 investment into $2.8 million.

Capital One let its employees use company-owned smartphones for work. Every employee picked his own passcode, and for security reasons did not share the passcode with Capital One. When Capital One fired the defendants, the defendants returned their phones. Later, as part of the investigation, Capital One turned over the phones to the SEC. The SEC now wants to access the phones because it believes evidence of insider trading is stored inside them.

But here’s the problem: The SEC can’t get in. Neither can Capital One. Only the defendants know the passcodes. And the defendants have refused to disclose them. As much as Capital One may want to aid the SEC in prosecuting its former employees, it can't.

The SEC sought an order to compel the production of the passcodes. The suspects refused on Fifth Amendment grounds. This brings us to the tricky details of this case, which suggest it won't become an across-the-board Fifth Amendment-protected "right" to deny the government access to password-protected devices and storage.

The government argued for the compelled production of passwords using the "foregone conclusion" doctrine.

The doctrine, introduced in Fisher v. United States, says that the Fifth Amendment doesn’t block complying with a court order when the testimonial part of complying with a court order is a foregone conclusion. In other words, if the government already knows the testimonial part of complying with the order, and they’re not seeking to prove it from the order, then you can’t use the Fifth Amendment to avoid compliance with the order.

In the government's creative interpretation of the doctrine, the production of passcodes would be no more than the defendants acknowledging they used the phones Capital One supplied them with -- something the government already knows and which has been confirmed by Capital One. Therefore, there are no Fifth Amendment implications. The judge disagreed, correctly pointing out that the government was seeking access to documents possibly contained on the phones, rather than simply seeking to confirm what it already suspected: that the phones were used by the defendants.

By using one thing to achieve another, the government was stretching its "foregone conclusion" to cover any evidence discovered on the unlocked phones. If the defendants have reason to believe incriminating documents resided on those phones, they are well within their Fifth Amendment rights to refuse the government's request. Or so you would think.

Should the SEC ultimately succeed with this interpretation of the "foregone conclusion" doctrine, it will have compelled incriminating testimony. It claims that it's merely seeking to confirm ownership by seeing if the passcodes unlock the phones. But once they're unlocked, it can compel the production of documents. Should these prove to be incriminating, it already has the defendants' admissions that these are their cell phones.

So, this case is less about securing Fifth Amendment rights than the government exploring options on how to obtain permission to compel defendants to hand over access to possibly incriminating information. If the court holds firm in its view of the government's true aims, it will be a small win for constitutional rights but one unlikely to be applied broadly.

If this analysis is right, then the password is incriminating because it provides a link to the evidence. The government could grant the defendants immunity, but it would need to be use and derivative use immunity — that is, immunity not just from the actual testimony but from what the testimony would reveal.See Counselman v. Hitchcock, 142 U.S. 547, 585 (1892). The defendants should win. That’s where Jonathan comes out, and it might be correct.

But I’m not sure. Here’s my question: Does the “link in the chain” test include a merely causal link — that is, a link in the chain to the evidence? Or does “link in the chain” mean that the testimony was part of the evidence of guilt but not enough to prove the entire offense — that is, a link within the body of evidence? If testimony is solely of value for its causal connection to evidence, and it has no evidentiary value itself, is the testimony incriminating?

If the government can argue that compelled production of passwords that leads to the discovery of incriminating material is merely causal (rather than the password itself being evidence of guilt), it may be able to skirt the Fifth Amendment entirely. This has obvious implications in the ongoing law enforcement war on encryption. With no firmly established legal footing for the argument that demanding passwords violates the Fifth Amendment, password-protected encryption will be ultimately no more safe than leaving everything unlocked and in plaintext.

So, while the court has -- for the moment -- denied the government's request to compel the production of passwords, the underlying legal entanglements don't exactly bode well for the future of the Fifth Amendment.

from the putting-the-'rights'-back-in-'rightscorp' dept

Third-party copyright troll Rightscorp is fighting a couple of lawsuits related to its alleged telephonic harassment of alleged infringers. One wonders what the ROI is on funding robocalling in pursuit of $10-20 "settlements" from suspected infringers. Whatever it is, the ROI is definitely edging further into the red, what with the company now paying lawyers to safeguard its "right" to harass and threaten people who won't pay up (or haven't even performed any infringing activity).

I don't make this assertion lightly. Multiple complaints made to the FCC back up the assertions being made in two class-action lawsuits. Rightscorp has responded to the allegations made in the lawsuit filed earlier this year, claiming the company willfully violated the Telephone Consumer Protection Act (TCPA) in its "collection" efforts. (Note that most collection efforts revolve around unpaid bills -- something consumers previously agreed to pay in one form or another. Rightscorp's "collections" involve no agreement from consumers -- only accusations based on little more than snippets of torrent activity and an IP address. And yet, the company treats accused infringers as though this is unpaid debt, rather than the speculative wallet-rummaging it actually is.)

Rightscorp's response is hilarious -- although certainly not intentionally. First off, it denies pretty much every allegation except for the issuing of subpoenas and emails -- things nearly impossible to deny thanks to the paper trail they create.

While the majority of its eleven defenses are questionable enough, the defenses 3-6 attack the law itself, claiming that TCPA is unconstitutional, namely it violates the First, Fifth, Fourteenth, and Eighth Amendments. Why is it so, Rightscorp doesn’t say.

From the filing:

The Telephone Consumer Protection Act (“the TCPA”), codified at 47 U.S.C. § 227, upon which Plaintiffs’ claims rely, violate the First Amendment of the United States Constitution.

[...]

The TCPA violates the Due Process Clauses of the Fifth and Fourteenth Amendments of the United States Constitution.

[...]

The TCPA violates the Excessive Fines Clause of the Eighth Amendment of the United States Constitution.

It appears Rightscorp would rather have the court examine a law twice held to be constitutional than look into its "collection" activities.

The First Amendment argument isn't exactly novel. Rightscorp and Warner Bros. have previously argued that copyright trolling is free speech. But, in that case, at least it actually made an argument. The affirmative defense offered here is nothing more than literally "the law violates the First Amendment," something no court has held to this point.

Beyond that, the other affirmative Constitutional defenses offered by Rightscorp are probably going to be viewed as "novel" by the court -- something that's rarely a compliment when it's written in a judicial opinion. As of right now, they're not even arguments. They're just assertions. The real fun will begin when Rightscorp starts explaining how violating a consumer protection law is not just protected speech, but is safeguarded by the application of Fifth, Eighth and Fourteenth Amendments.

from the upvote-for-FBI-visit dept

Back in 2010, Redditor Yasir Afifi found an unusual device on his car while taking it in for an oil change.

Other Redditors surmised it was some sort of tracking device -- something that was confirmed a few days later when two SUVs full of cops and FBI agents showed up to reclaim it. While doing so, the FBI agent also asked the sort of probing questions that make the agency an indispensable part of our nation's counterterrorism efforts. From the ruling by Judge Beryl Howell:

The agents also asked the plaintiff other questions, including “whether he was a national security threat, whether he was having financial difficulties, [and] whether he had been to Yemen . . . .”

They also said other, more unsettling things:

After returning the GPS device, defendant Kanaan made several comments to the plaintiff that indicated to the plaintiff that the FBI had knowledge of the plaintiff’s movements, including commenting on certain restaurants at which the plaintiff ate, a friend with whom he associated, and a new job at which he worked. Id. at ¶ 46. At the end of the encounter, the plaintiff alleges that defendant Kanaan suggested to him that he was not a national security threat and that he was no longer of use to the FBI.

Apparently, part of the justification for deploying this tracking device was a comment one of Afifi's friends had left at Reddit -- a comment that skewers a lot of unproductive terrorism hysteria (and the agencies that thrive in this atmosphere).

bombing a mall seems so easy to do. i mean all you really need is a bomb, a regular outfit so you arent the crazy guy in a trench coat trying to blow up a mall and a shopping bag. i mean if terrorism were actually a legitimate threat, think about how many fucking malls would have blown up already.. you can put a bag in a million different places, there would be no way to foresee the next target, and really no way to prevent it unless CTU gets some intel at the last minute in which case every city but LA is fucked...so...yea...now i'm surely bugged : /

End result? A tracking device on Afifi's car, and for something he didn't even write. So, he sued the FBI and the DOJ for violating his First, Fourth and Fifth Amendment rights. The suit was stayed by the court while the Supreme Court sorted out US v. Jones -- a case dealing with warrantless GPS tracking. Unfortunately, the Court returned not much in the way of a decision, stating that GPS tracking did constitute a "search," but didn't go so far as to add a warrant requirement, suggesting the longer the tracking lasts, the worse it is constitutionally.

Whether or not this was warrantless surveillance isn't answered in Howell's decision. None of Afifi's claims survive. Qualified immunity nullifies Afifi's First and Fourth Amendment Bivens claims with an assist from the circuit courts' split on warrantless GPS tracking. As the events in question took place nearly two years ahead of the Supreme Court's decision, Howell defers to the rulings in place at that time (2010) as governing the agents' actions.

[T]he warrantless use of a GPS device was lawful under Ninth Circuit precedent at the time of its use in the present case. In other words, the individual defendants’ warrantless use of the GPS device was valid in California, the jurisdiction in which the individual defendants used the GPS device.

Afifi's First Amendment claim also goes down, seeing as there's no judicial precedent for chilling speech with a GPS tracker.

The plaintiff has failed to cite a single case from any Circuit holding that the warrantless use of a GPS device violates an individual’s First Amendment rights. To be sure, the qualified immunity analysis does not require a “case directly on point,” Al-Kidd, 131 S.Ct. at 2083, but a court must take caution in properly defining the scope of the right violated (“We have repeatedly told courts . . . not to define clearly established law at a high level of generality.”). [...] The plaintiff’s inability to cite a single case in support of his contention that the warrantless use of a GPS device violated his First Amendment rights dooms his claim.

Afifi's claim of Privacy Act violations caused by the FBI's continued retention of his case records after closing the investigation doesn't fare any better. There's plenty of precedent out there stating that relevant investigative records are forever even if the investigation isn't.

In addition, the fact that the investigation into the plaintiff is now closed does not render the records invalid under Section (e)(7). The D.C. Circuit has held that an agency may maintain records from an authorized investigation even after that investigation was closed, because “[m]aterials may continue to be relevant to a law enforcement activity long after a particular investigation undertaken pursuant to that activity has been closed...”

The present case is no different. The records now in the FBI’s possession may permit the FBI to verify or evaluate any new intelligence received, assess the reliability of other sources, and ensure accountability regarding how the FBI responded to the information it received.

Howell also points out that challenges to warrantless searches generally result in suppression of evidence, not nullification of entire investigations. Afifi's claims that he is being locked out by potential employers because of his run-in with the FBI are dismissed as "self-inflicted" -- not because Afifi had the misfortune of being acquainted with a person whose Reddit comment drew FBI heat, but because he "reported his confrontation with the FBI agents to local and national media, and the media published numerous stories about the encounter."

The moral of this tale seems to be that if you discover a tracking device on your vehicle, there's no faster way to be rid of it than posting pictures of it on a heavily-trafficked website. (As opposed to, say, throwing it in a lake, as one commenter suggested.) You may not find relief through the courts, but at least you'll be ensured of some form of closure.

"I'm thinking there's probably a wealth of information that just got tucked into your pocket," Norton says. "Something that we'd like to get our hands on."

Easy for law enforcement officers to say, but today's phones have more in common with a personal computer than they do with, say, the contents of someone's pants pockets, as the state of Texas memorably argued.

The courts have offered mixed opinions as to whether a warrant is needed to view the contents of someone's phone. This lack of a "bright line" is increasingly problematic as smartphones have become a convenient, pocket-sized data center that can reveal plenty of information that wouldn't normally be accessible without a warrant.

The NPR story deals only with access granted by warrants, but it does lead off with another Detective Norton quote which points out how officers will attempt to separate the ignorant from their (possibly incriminating) evidence.

Once he's seized a phone, Norton says, he often has to return to the owner to ask for help.

"Maybe you've established a rapport and you're getting along with this person," Norton says. "We'll reach out to that person and say, 'Hey, your phone's locked. We'd like to inspect it. We'll probably be getting a warrant. Would you give us your password?' "

Refusing to hand over a password shouldn't seem to be a problem, but like the issue listed above, the courts have been unclear as to whether the Fifth Amendment's protections against self-incrimination extends to passwords. This could lead to obstruction charges or contempt of court for the phone's owner.

Just getting a warrant doesn't necessarily make everything OK, either. There's a ton of non-relevant data on any given smartphone, all of which can easily be accessed once the phone is unlocked. Narrowly-written warrants that set limits on what officers can and can't look at are a partial solution, but one that few law enforcement agencies are likely to follow.

Blindly diving into the contents of someone's smartphone exposes a whole lot of information, and if officers aren't exactly sure where this incriminating data is located, they'll probe around until they can find it. Armed with just enough "belief and information" to be dangerous, they'll easily be able to make the case that all contents are "relevant" until proven otherwise. This obviously raises privacy concerns, but again, there's no specific protection in place for these contents, which some courts have argued contain no "expectation of privacy" thanks to constant "checkins" with third party providers and services.

Not that the lack of a warrant or permission will necessarily prevent the phone from being searched. (That "problem" can always be dealt with later in the courtroom…)

Companies such as Guidance Software and Cellebrite sell products to law enforcement that "image" smartphones. The products can pull data off in bulk for use as evidence. BrickHouse Security in New York sells products like this for iPhone and Android. CEO Todd Morris says the handset manufacturers don't support this, so it's a constant effort to keep the forensic software up to date.

As Morris notes, cellphone companies aren't cooperating in providing back doors for law enforcement to access phones without warrants. So, like our very own NSA, these companies use exploits to crack phones for curious cops.

These phone-copying systems rely heavily on what hackers call "exploits," or vulnerabilities in the phones' operating systems that can be used to get around the password or encryption.

All in all, Apple's phones are more secure than Android handsets. But either way, having to go through the warrant process can mean weeks to months of waiting (if the handset needs to be returned to the manufacturer) for the release of "rescued" data. (Courts have been more reluctant to force defendants to turn over passwords, seeing this as more of a clear Fifth Amendment violation.) Not surprisingly, this turnaround time is considered unacceptable, hence the arms race of private company vs. private company to gain (and maintain) control of a smartphone's contents.

Even considering the oft-abused Third Party Doctrine, it would seem that a warrantless search of a smartphone would be a Fourth Amendment violation. There's just too much information stored on the average smartphone to be compared to anything found on a person during a normal search. And, as a New York law student recently asked Supreme Court Justice Antonin Scalia, isn't searching someone's computer roughly equivalent to their "effects," Fourth Amendment-wise? For all intents and purposes, a smartphone is a portable computer, loaded with a person's "effects" and creating a time/date/location "event" every time it pings a cell tower.

Considering how much info can be gathered from a single smartphone, It's little wonder law enforcement wants to peek at arrestees' smartphones, but the courts need to do a bit of catching up to today's cellphone realities. And there needs to be more attention paid to the fact that law enforcement agencies are partnering with private companies to crack phones, apparently without asking for a warrant first.